Mercurial > hg > isophonics-drupal-site
comparison vendor/zendframework/zend-escaper/doc/book/escaping-javascript.md @ 0:4c8ae668cc8c
Initial import (non-working)
| author | Chris Cannam |
|---|---|
| date | Wed, 29 Nov 2017 16:09:58 +0000 |
| parents | |
| children |
comparison
equal
deleted
inserted
replaced
| -1:000000000000 | 0:4c8ae668cc8c |
|---|---|
| 1 # Escaping Javascript | |
| 2 | |
| 3 Javascript string literals in HTML are subject to significant restrictions due | |
| 4 to the potential for unquoted attributes and uncertainty as to whether | |
| 5 Javascript will be viewed as being `CDATA` or `PCDATA` by the browser. To | |
| 6 eliminate any possible XSS vulnerabilities, Javascript escaping for HTML extends | |
| 7 the escaping rules of both ECMAScript and JSON to include any potentially | |
| 8 dangerous character. Very similar to HTML attribute value escaping, this means | |
| 9 escaping everything except basic alphanumeric characters and the comma, period, | |
| 10 and underscore characters as hexadecimal or unicode escapes. | |
| 11 | |
| 12 Javascript escaping applies to all literal strings and digits. It is not | |
| 13 possible to safely escape other Javascript markup. | |
| 14 | |
| 15 To escape data in the **Javascript context**, use `Zend\Escaper\Escaper`'s | |
| 16 `escapeJs()` method. An extended set of characters are escaped beyond | |
| 17 ECMAScript's rules for Javascript literal string escaping in order to prevent | |
| 18 misinterpretation of Javascript as HTML leading to the injection of special | |
| 19 characters and entities. | |
| 20 | |
| 21 ## Example of Bad Javascript Escaping | |
| 22 | |
| 23 An example of incorrect Javascript escaping: | |
| 24 | |
| 25 ```php | |
| 26 <?php header('Content-Type: application/xhtml+xml; charset=UTF-8'); ?> | |
| 27 <!DOCTYPE html> | |
| 28 <?php | |
| 29 $input = <<<INPUT | |
| 30 bar"; alert("Meow!"); var xss="true | |
| 31 INPUT; | |
| 32 | |
| 33 $output = json_encode($input); | |
| 34 ?> | |
| 35 <html xmlns="http://www.w3.org/1999/xhtml"> | |
| 36 <head> | |
| 37 <title>Unescaped Entities</title> | |
| 38 <meta charset="UTF-8"/> | |
| 39 <script type="text/javascript"> | |
| 40 <?php | |
| 41 // this will result in | |
| 42 // var foo = "bar"; alert("Meow!"); var xss="true"; | |
| 43 ?> | |
| 44 var foo = <?= $output ?>; | |
| 45 </script> | |
| 46 </head> | |
| 47 <body> | |
| 48 <p>json_encode() is not good for escaping javascript!</p> | |
| 49 </body> | |
| 50 </html> | |
| 51 ``` | |
| 52 | |
| 53 The above example will show an alert popup box as soon as the page is loaded, | |
| 54 because the data is not properly escaped for the Javascript context. | |
| 55 | |
| 56 ## Example of Good Javascript Escaping | |
| 57 | |
| 58 By using the `escapeJs()` method in the Javascript context, such attacks can be | |
| 59 prevented: | |
| 60 | |
| 61 ```php | |
| 62 <?php header('Content-Type: text/html; charset=UTF-8'); ?> | |
| 63 <!DOCTYPE html> | |
| 64 <?php | |
| 65 $input = <<<INPUT | |
| 66 bar"; alert("Meow!"); var xss="true | |
| 67 INPUT; | |
| 68 | |
| 69 $escaper = new Zend\Escaper\Escaper('utf-8'); | |
| 70 $output = $escaper->escapeJs($input); | |
| 71 ?> | |
| 72 <html xmlns="http://www.w3.org/1999/xhtml"> | |
| 73 <head> | |
| 74 <title>Escaped Entities</title> | |
| 75 <meta charset="UTF-8"/> | |
| 76 <script type="text/javascript"> | |
| 77 <?php | |
| 78 // this will look like | |
| 79 // var foo = | |
| 80 bar\x26quot\x3B\x3B\x20alert\x28\x26quot\x3BMeow\x21\x26quot\x3B\x29\x3B\x20var\x20xss\x3D\x26quot\x3Btrue; | |
| 81 ?> | |
| 82 var foo = <?= $output ?>; | |
| 83 </script> | |
| 84 </head> | |
| 85 <body> | |
| 86 <p>Zend\Escaper\Escaper::escapeJs() is good for escaping javascript!</p> | |
| 87 </body> | |
| 88 </html> | |
| 89 ``` | |
| 90 | |
| 91 In the above example, the Javascript parser will most likely report a | |
| 92 `SyntaxError`, but at least the targeted application remains safe from such | |
| 93 attacks. |